Threat Event
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
|
|
| ID | CAPEC-122 |
| Latest Sync Date | 11/05/25 15:15:38 |
| Original ID | 122 |
| Abstraction | Meta |
| Status | Draft |
| Alternate Terms | |
| Likelihood Of Attack | High |
| Typical Severity | Medium |
| Related Attack Patterns | ::NATURE:CanPrecede:CAPEC ID:664:: |
| Execution Flow | |
| Prerequisites | ::The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.::The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.:: |
| Skills Required | ::SKILL:Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges.:LEVEL:Low:: |
| Resources Required | ::None: No specialized resources are required to execute this type of attack. The ability to access the target is required.:: |
| Indicators | |
| Consequences | ::SCOPE:Integrity:TECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Data::SCOPE:Authorization:TECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Run Arbitrary Code::SCOPE:Authorization:TECHNICAL IMPACT:Gain Privileges::SCOPE:Access Control:SCOPE:Authorization:TECHNICAL IMPACT:Bypass Protection Mechanism:: |
| Mitigations | ::Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.:: |
| Example Instances | ::Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.:: |
| Related Weaknesses | ::269::732::1317:: |
| Taxonomy Mappings | TAXONOMY NAME:ATTACK:ENTRY ID:1548:ENTRY NAME:Abuse Elevation Control Mechanism:: |
| Notes | |